Posted
by
timothy
on Saturday July 02, 2011 @06:20AM
from the want-it-both-ways dept.

mrtwice99 writes "Dropbox recently updated their TOS, Privacy Policy, and Security Overview. Included in the TOS is the following statement: 'By submitting your stuff to the Services, you grant us (and those we work with to provide the Services) worldwide, non-exclusive, royalty-free, sublicenseable rights to use, copy, distribute, prepare derivative works (such as translations or format conversions) of, perform, or publicly display that stuff to the extent we think it necessary for the Service.' I think Dropbox is a great service, but what is the significance of granting them such broad usage rights?"
Elsewhere in the same Terms of Service, which are a few notches above the norm in both brevity and readability, Dropbox says both "Dropbox respects others’ intellectual property and asks that you do too," and "You retain ownership to your stuff."

It's the usual clause companies have to put now a day so that some asshat won't sue them for millions of dollars even if the service providers offered the services like advertised. Dropbox probably needs this clause to show your content in a public link that you link to others. Youtube and any other user submitted service has similar clauses. The law probably needs fixing, but that isn't the companies fault - blame the asshats abusing it.

Has nothing to do with that. Simple disclaimers fix that. They are doing it to profit off what they don't own.

For example? And by 'example', I mean an example of something they are actually doing and not just something you think they could conceivably do.

These sorts of clauses are almost always about trying to legally protect the way the site/service works. Why would Dropbox think it could just take your shit and sell it (what you seem to think they are going to do here)?

"For example? And by 'example', I mean an example of something they are actually doing and not just something you think they could conceivably do."

You make it sound like you don't understand how contract law works at all. You read the contract and decide if the terms sound good before taking action on it. You don't agree to it by default, and then wait to see if you get screwed over and then smack your head.

Dropbox is not going to sell your files. How can you possibly think they are going to sell/redistribute your files on their own? You even quote the relevant part and then paraphrase it. "The extent they think it necessary for the service". Do you think "selling your files" is "necessary for the service"? Do you think that Dropbox will try this? They will lose their customer base overnight if they did. And if they did, do you think it would hold up in court? How do you justify "

Just ask yourself why Slashdot has no such agreement. Somehow Slashdot manages to scrape by without this "essential" clause.

You might want to read Slashdot terms before making such statements because

In each such case, the submitting user grants Geeknet the royalty-free, perpetual, irrevocable, non-exclusive, transferable license to use, reproduce, modify, adapt, publish, translate, create derivative works from, distribute, perform, and display such Content (in whole or part) worldwide and/or to incorporate it in other works in any form, media, or technology now known or later developed, all subject to the terms of any applicable license.

Slashdot (and whole Geeknet) license agreement is actually even wider than Dropbox, as they don't even limit it to as-required-by-service.

I know an author who lost the entire first chapter of her book this way. She uploaded it to Facebook in order to share it with her publisher. Facebook then sued her (and won) when her book was published. She now owes Facebook ALL MONEY she ever made on that chapter (a portion of her portion of the sales) AND over $100,000 in attorney fees that Facebook spent to sue her out of her own hard word and creativity.

I have a hard time believing this anecdote - I suspect you just made this up.

If true, it should have been all over the news, given that stories about the 'dangers' of FaceBook are fairly popular. A story about how FaceBook wants you to upload your IP so they can sue away your rights for their own profit would be making the rounds in no time.

Provide some links to valid news articles describing this case or I'll have to call this a fictional fabrication.

There is no breach of trust, no corporate abuse, no amount of legalese overkill that someone somewhere won't excuse and apologize for.

Um, what? What "breach of trust", "corporate abuse", or "legalese overkill" (wow, you start out with two insane assertions, then try to sneak the *almost* pertinent one as though it's part of the bunch!) is happening here?

Dropbox isn't stealing people's files. They aren't selling people's files. The TOS are required for them to be able to function legally.

They wouldn't have bothered to consult a lawyer to put it there if they had no intention of ever using it.

Yes (well, they don't need to ever intend to use a clause to include it, they can merely think it might be useful). And it's there so they can allow you t

Yeah, the phrase "To the extent we think it necessary for the Service" would not be a terribly good defence for Dropbox if they took a user's screenplay and sold it to Disney. Sure they could try to argue that making money from selling a user's screenplay is necessary for "the service" but they'd be very lucky to find a court that would accept such an interpretation.

I don't see anything iffy here. DropBox are securing the rights to provide their service without being sued by some chancer. This story is pure

The problem with that phrase is the 'we think' part. That implies a subjective judgement and it makes Dropbox the sole arbiter of whether something is required for the service or not. The parenthetical clause is also quite concerning, because it's redundant given the sublicenseable qualification. The entire quoted section was obviously not drawn up by anyone with any legal training (or, if it was, by someone who should be disbarred before they can do any more damage).

True, but there have to vagueness. Would it be more reasonable to simply say "whatever us necessary to provide the service", and then refer to the definition if the service? This would seem safe so long as users have the right to have their data if the service should change in an undesirable way?

You seem to have missed the part where it says, "...to the extent which we think it necessary for the Service." I think they would have trouble convincing a judge that allowing someone you did not designate access to your copyrighted material without your explicit permission for Dropbox's profit was something they legitimately thought was "necessary for the Service."

What you (and most others here) seem to have missed is that Dropbox generally has absolutely no idea what your content is. Everything is encrypted. How exactly are they distributing your "copyrighted material" when it can't be decrypted?

In rare cases (specifically those required to cooperate with law enforcement) Dropbox has indicated that they could decrypt. I expect they will do this as rarely as possible, as it opens up questions they'd likely rather leave closed.

"What you (and most others here) seem to have missed is that Dropbox generally has absolutely no idea what your content is. Everything is encrypted. How exactly are they distributing your "copyrighted material" when it can't be decrypted?"Except it *CAN* be decrypted. Dropbox has already admitted that THEY have the encryption keys and they can decrypt (and turn over to the gov't if necessary) your data. If they can decrypt it then they can read it. And that means, according to their terms of service, that

Has nothing to do with that. Simple disclaimers fix that. They are doing it to profit off what they don't own.

Oh well, my account is now deleted, not my problem anymore.

That seems a foolish overreaction. Yes, this TOS is fairly broad, but it releases them to implement many new services down the line that require automatic transcoding, format conversions, creation of Web sites, etc.

The reality is that Dropbox has no interest in alienating their customers by selling off their stuff. However, consider one simple case: you have your music collection on Dropbox. They decide to offer a "share my photos" feature. You select that feature and they connect your photos to some N frie

If I make a journal entry, uploading it to slashdot gives them permission to post it. It does NOT give them permission to reprint it in a printed magazine or another site. This clause gives them permission to do anything they damned well please with your material.

You might want to read Slashdot terms before making such statements because

In each such case, the submitting user grants Geeknet the royalty-free, perpetual, irrevocable, non-exclusive, transferable license to use, reproduce, modify, adapt, publish, translate, create derivative works from, distribute, perform, and display such Content (in whole or part) worldwide and/or to incorporate it in other works in any form, media, or technology now known or later developed, all subject to the terms of any applicable license.

Slashdot (and whole Geeknet) license agreement is actually even wider than Dropbox, as they don't even limit it to as-required-by-service.

Correct. I have a Dropbox account, and that's exactly what it is, although it also has utility as a file-sharing service as well. You can create and designate folders as "shared with other users" and "shared with guest users (for people without an account)". Folders so designated will allow anyone to download files in those folders.

So when I post on Slashdot, my intent is clear -- I'm making what I type available to the public at large. But this is also true for files that I put in my folders that are sh

Well, many people myself included use it as a quick place to share files on irc, im or forums and as a image host. Dropbox has many functions that supports sharing too, like picture galleries. I do save a few backup files there, but encrypted.

I haven't used Dropbox, but I didn't think it had a similar purpose. I thought it was more like a cloud-based hard drive.

I see a significant difference between the two.

It's clear they have additional plans as well. My guess is that they're going to layer lots of content management and presentation services on top of Dropbox. For example, if you store lots of text on Dropbox, then you might want a way to catalog and organize it, and transform some of it into books for self-publishing while pushing other chunks out to the Web as a blog. They could easily offer this service with their "cloud hard drive" as the backing store. Amazon already gives you several ways to use their

who cares, I kind of expect slashdot to publicly display my comments. I wouldn't expect a "filesystem in the cloud" to have rights to publicly display some sketches I'd keep there - or them to sublicense that stuff.. fuck 'em, you can buy filehosting at better terms.

They are claiming rights they do not need to perform the services they are providing. It's probably because their lawyer suggested that they claim more rights than they actually need and throw in the "to the extent we think it necessary" clause as a buffer (and not because they plan to use them), but either way it's wrong to do, and I'm going to tell them so.

You realize the way that clause is written that you could use Dropbox to send a draft of your novel to your editor and Dropbox could publish it. Regardless of the intent, there has to be narrower language that would work. They could add something like "in the context of the service" which means their publishing rights are limited to the service itself.

They might need the clause, but they don't need anything nearly that broad.

Seems to me that it'd be hard to argue in court that publishing your novel and selling it has anything to do with carrying out the service, or that it'd be reasonable for them to expect ("think") that it would be necessary. Sure, lawyers are good at twisting things, but this would be a tough one.

I feel like that's exactly what they did. It's all along the lines of: we want to store your stuff, but unfortunately, to do that we need the rights to it or else it'd be considered infringement, so we are going to ask for the rights needed to store your stuff (which they list). No fancy legalese, intent is stated, limitations are stated in plain language ("to the extent which we think it necessary for the service").

The summary missed the true problem which is that this TOS requires that the user hold copyright or right to grant a license on the material in question. Which means you can only put up original content, public domain, etc... Legally purchased MP3s cannot be uploaded, GPL content cannot be uploaded (as there terms are not GPL compatible). It is a slippery slope and poorly thought out move by dropbox's lawyers. By opening door to the idea that users need to control certain copyright terms in order to use cloud based storage, you essentially make it useless from a standpoint of using the service legally and you will increase pressure from **AA to force cloud based storage managers to police and filter content.

That is a very valid point! I think it's one of those areas in which we'll have to allow practicality to override the letter of the law. For example, I buy a DVD whose terms prohibit retransmission yet I stream it wirelessly to my TV. It may be against the letter of the licence, but it's hopefully not the kind of thing they intended to exclude. One would hope that what they want to prevent is transmission outside of the home/family.

If I email myself some GPLed code, does the fact that the email is going to

If you stream a DVD whose terms prohibit retransmission, or if you mail yourself GPL code, that's covered by fair use. Fair use protects you against the copyright owner going after you for copyright violation. Third parties are still allowed to do things conditional on whether you have the rights.

If the TV set was owned by someone else and he put a terms of use on it which said that you can't stream that DVD, streaming the DVD won't violate copyright (because of fair use), but it *would* violate the terms

"You give us the right to make derivative works from your stuff" is just about as far away from "usual" as you can get it.

With a clause like that, Dropbox can do the smallest of alterations to your stuff, sell it, and not give you a dime. Even if it's something that you sell for $$ and don't give away for free. Hell, with a clause like that, Dropbox can take your software code and release it under any license they want, essentially as if they were you.

Note carefully, they don't say "necessary for providing the Service". Why is that? Is it because the money they attempt to get from selling your stuff is needed to motivate them to keep the servers running?

I never had an account with them, and obviously I'm not going to ever get one. As matter of fact, I have my own instance of Open-Xchange on the Net, and I can store my own InfoItems from wherever I want to.

They went to far. Amazon publicly shows your content (when you authorize). Amazon is customer focused. Here is what the AWS Customer agreement says. It covers all services including S3.

8.1 Your Content. As between you and us, you or your licensors own all right, title, and interest in and to Your Content. Except as provided in this Section 8, we obtain no rights under this Agreement from you or your licensors to Your Content, including any related intellectual property rights. You consent to our use of Your Content to provide the Service Offerings to you and any End Users. We may disclose Your Content to provide the Service Offerings to you or any End Users or to comply with any request of a governmental or regulatory body (including subpoenas or court orders).

The dropbox tos is what happens when you give lawyers with little or no business experience free reign. The Amazon agreement provides the same relevant protection without all the irrelevant bs that scares people away.

Yep, and the PATRIOT Act was supposed to catch terrorists, all those videogames refused to offer dedicated servers because they'd provide their own, better servers for as long as people were playing anyway, and my ex-girlfriend was supposed to just be borrowing my CDs.

Naive? I work for a company that also deals with user submitted content on the internet. We have a very similar clause in our TOS just for this reason and I do understand why companies are by law required to put it there. Slashdot has it too.

I don't see any such disclaimer at slashdot. If I did I certainly wouldn't be posting short science fiction stories [slashdot.org] in my slashdot journal; a couple hundred more of these and I'll publish them in book form (so far there are only four).

In each such case, the submitting user grants Geeknet the royalty-free, perpetual, irrevocable, non-exclusive, transferable license to use, reproduce, modify, adapt, publish, translate, create derivative works from, distribute, perform, and display such Content (in whole or part) worldwide and/or to incorporate it in other works in any form, media, or technology now known or later developed, all subject to the terms of any applicable license.

Um, yeah. Next up, they'll be taking users to court for doing just that, claiming it denies their rights to use your works.

Ok, probably not... but these days, it seems the craziest lawsuits get filed, so it wouldn't really surprise me.

But I gotta wonder: Could they legally bring such a suit, based on their TOS?

It doesn't matter. Such an action would immediately result in at least half of their users abandoning the service. I know I would.

I think the Slashdot crowd is trying awfully hard to imagine scenarios where this TOS (which is the same as many other Web-based storage TOSes) will lead to total anarchy. Problem is, it's really fairly standard.

Wuala offers both encryption and cheap storage via data deduplication. They simply AES encrypt your stuff using it's own SHA as the key. And they use the encrypted file's SHA for the identifier. In this way, any two people should encrypt the same file to the same encrypted file, but nobody who's never seen the original file could read it, including Wuala.

Soon, we'll see the MafiAA perusing people's DropBox accounts to delete pirated content and/or sue its possessors. Wuala doesn't offer that much more technical protection here since they'll simply subpoena the list of people possessing a particular file, but they cannot actually just browse your account because each directory gets encrypted too and directories are usually unique. Also, Wuala is far more likely to fight a MafiAA subpoena because they're (a) based in Switzerland, (b) started as a P2P network, and (c) started by academics.

Google, deviantArt, Facebook, et al, they all have very similar or same wording in their TOS's. Point is, if they transfer data from your account to someone else's account, it is considered distribution, performance if they show video to others, etc, etc. So they need you to license your stuff to them so they're permitted to carry out their services. The fact that it, on paper, gives them right to do many other things is worrying, but not at all unusual. Good thing about Dropbox version is that it at least has the "to the extent we think we think it necessary for the Service." That is an improvement.

Also keep in mind that in some cases, like in case of deviantArt, the license is time-limited to the duration of your usage of the service, which helps. I don't use Dropbox, so I don't know if that's the case with Dropbox. In some cases, it is not possible for service providers to time-limit the license, because the data may need to be available to other users after you leave.

Not really. Any time they display or send your content to another person, that's copyright infringement. So they need a license from you, it needs to be worldwide (since anyone can access the website), you WANT it to be non-exclusive, they don't intend to pay you to use their service so royalty-free, sublicenseable to the extent that if they use akami or some such to host the content, then akami doesn't comment infringement..

Time duration's about the only piece of the typical grant that is questionable. Sin

Not really. Any time they display or send your content to another person, that's copyright infringement. So they need a license from you, it needs to be worldwide (since anyone can access the website), you WANT it to be non-exclusive, they don't intend to pay you to use their service so royalty-free, sublicenseable to the extent that if they use akami or some such to host the content, then akami doesn't comment infringement..

Ding! Correct answer. Akami is a great example of where this is necessary. I could easily imagine a user suing Dropbox when they find out that their stuff was handed over to a third party (possibly even modified into another format in the process). In reality, of course, this might be done for the simple reason of getting it back to the same user that put it in Dropbox faster, but without these protections, there's no way for Dropbox to defend such an action.

You need to read something about copyright law. Derivative work must be an _original_ work of _human_ authorship. Trivial, technical, and/or machine-processed versions are not derivative works (such as thumbnails, etc.). Also, most of that is protected by the Fair Use doctrine already and nobody needs "world-wide, non-revocable, permission to derive".

Well, Facebook needs that right so that they can sell your photos for use as stock photos to third parties (e.g. Starbucks). Creating an advert incorporating your uploaded photos involves creating a derived work.

If it had said something with "to the extend it is nessesary to provide the services of the system" or something similar

The key difference between Dropbox's wording "to the extent we think it necessary for the Service" and your suggested wording "to the extent it is necessary to provide the services of the system" appears to consist of "we think".

at least you could go to court when they start selling CD's with your indie bands songs.

As I understand it, Dropbox users in that case could still go to court and convince a judge why a reasonable person wouldn't "think it necessary for the Service".

If you read the whole agreement, it isn't as scary as the poster has implied.

Your Stuff & Your Privacy

By using our Services you may give us access to your information, files, and folders (together, “your stuff”). You retain ownership to your stuff. You are also solely responsible for your conduct, the content of your files and folders, and your communications with others while using the Services.

We sometimes need your permission to do what you ask us to do with your stuff (for example, hosting, making public, or sharing your files). By submitting your stuff to the Services, you grant us (and those we work with to provide the Services) worldwide, non-exclusive, royalty-free, sublicenseable rights to use, copy, distribute, prepare derivative works (such as translations or format conversions) of, perform, or publicly display that stuff to the extent we think it necessary for the Service. You must ensure you have the rights you need to grant us that permission.

How we use your stuff is also governed by the Dropbox Privacy Policy, which you acknowledge. You acknowledge that Dropbox has no obligation to monitor any information on the Services, even though we may do so. We are not responsible for the accuracy, completeness, appropriateness, or legality of files, user posts, or any other information you may be able to access using the Services. We may disclose information about your account or your stuff to law enforcement officials as outlined in our Privacy Policy.

Um, it still sounds just as bad to me even in context. Legally, the sentence "We sometimes need your permission to do what you ask us to do with your stuff (for example, hosting, making public, or sharing your files)." doesn't affect the meaning in any way, other than couch it in the implication - to the layman - that the extent of the sentence following, is limited by that sentence. However, it isn't; if you parse the English, the two sentences are not connected.

The entire thing is horrible from a legal standpoint. If that's their actual TOS, rather than an informal FAQ or similar, then run a mile from their service. They clearly haven't consulted a (remotely competent) lawyer in drawing up a legal document. From previous Slashdot stories, they haven't consulted a remotely competent cryptographer in designing their encryption either. I wonder if they've consulted anyone competent about anything at all...

They should have said "to the extent necessary to perform the actions you request", or something to that effect. Instead, they say "to the extent we think it necessary for the Service", which basically means "however we want".

It sounds like you have to be in a position to grant a Dropbox rights in the first place. If you are not the original author, that is a bit of a problem. This clause is a BIG problem, but not just for the reasons pointed out in the summary. This means that you cannot use dropbox to transfer your legally purchased music, movies, books, or other content between devices because you do not have the right to grant Dropbox the rights that they are asking for in most cases.

If it bothers you that much, don't bee a freetard, get yourself a basic website with webspace, and you control your own domain and don't have to worry about companies making up such TOCs where they think they own copyrights they have no right to. (this was not a troll posting).

Unless you plan to host from home i'm sure that many of the hosting companies out there have similar or more intrusive contracts. Bare in mind, if you do host from home your consumer-grade provider might have a similar policy or they may start bitching if you have too many folks accessing your stuff and impose quotas

Seriously, you are going to compare Dropbox to "a basic website with webspace", and this gets modded Insightful? I have lots of websites, there is a reason I use Dropbox, its a great product. I'm just concerned the terms are overly broad.

You are giving dropbox the rights to do whatever they want to with your content, according to this. All of thye examples are just that - examples. The terms give them the right to make the judgment on what they want to do. And, since they are free to change the privacy policy at will, just as they changed the TOS, you have no protections.

They can write this much more tightly to protect themselves and give you absolute control. The problem is that to do so it will be very long and "legalese" and not frie

IANAL, but it seems to me it would be hard to argue in court that Dropbox selling my content for money is necessary for the service or that they could reasonably think that necessary for executing the service.

Contracts are contracts. In the US (where Dropbox and probably most of its users are based), courts rarely do anything but follow their express terms. It's a fundamental aspect of the common-law heritage of our legal system that virtually anything is subject to contract under virtually any terms. Exceptions are few, and aside from contracts calling for manifestly criminal conduct, most of the exceptions come from either express law forbidding

So after having a problem where access given was access forever and when people could get to your stuff without a password they are now pretending they own everything people put there? Maybe it's time for law enforcement to get involved with these clowns and hit them with fraud for pretending to have a secure service.

No, they are being granted a license to use what people put there. There is a difference.

Maybe it's time for law enforcement to get involved with these clowns and hit them with fraud for pretending to have a secure service.

Yes someone better call the Internet Police and... oh wait. This comment doesn't even make sense. Call which law enforcement exactly? And for what charge? "I don't like their Terms of Service" isn't, as far as I'm aware, something any country's laws have a charge for. You don't like the terms, you don't use the service.

At the end of the day, dropbox is really just a fancy front end bolted on to Amazon's s3 service. So basically if Amazon demanded no copyrighted material be stored on the service, dropbox must change it's TOS to match..... Ultimately your dropbox data is essentially in the hands of not just one, but 2 different companies.

So basically if Amazon demanded no copyrighted material be stored on the service

...then they'd have to close that business unit by the end of the week. Hint: this post is copyrighted material. So is yours. So is the photo I took and uploaded to Flickr. In short, almost everything is copyrighted, and if Amazon tried to institute a no-copyrighted-material policy they'd be stuck with no customers but Project Gutenberg.

It leaves off the last sentence of the quoted paragraph from the TOS: "You must ensure you have the rights you need to grant us that permission."

IANAL, but I suspect that this is the linchpin of the terms. In order for any of the foregoing rights to be granted to dropbox, you must actually have rights in the first place. You are completely on the hook if you sync anything improperly.

This all sounds fine in theory, but I bet there's not a single dropbox customer who isn't running afoul of this term. It's not really dropbox's fault, it's the fault of our cockamamie copyright laws which grant automatic copyright on EVERYTHING on first publication.

When everything's covered, nothing's covered. Except for those who have the deep pockets to bring suit.

Apparently the submitter has never read a TOS before. That statement's been in almost every major corporation's TOS that I've read to date, and it's mostly an ass-covering line as mentioned by other posters. While I don't like the policy of including unreasonable policies in a TOS, this is hardly unique to dropbox and appears to be part of a mudslinging campaign instead of actual news.

Damn it, now my rc.conf file, and my conkyrc file will be there for the world to exploit. People will realize how I got mpd to display album art on my desktop, and they'll know which services I start in the background when my machine loads! THE HORROR

The case studies all use words like "secure", "MD5", "RSS feeds" and "encryption" to describe the security of The Cloud. I don't know about you, but that sounds damn secure to me! Some Clouds even use SSL and HTTP. That's rock solid in my book.

And there I was trying to make my service actually secure when all I needed to do was sprinkle our blurb with some secure-sounding keywords. Thanks for the tip.:)